FreeBSD Jail With iocage¶
This tutorial shows how zrepl can be installed on FreeBSD, or FreeNAS in a jail using iocage. While this tutorial focuses on using iocage, much of the setup would be similar using a different jail manager.
From a security perspective, just keep in mind that
recv was never designed with
jails in mind, an attacker could probably crash the receive-side kernel or worse induce stateful
damage to the receive-side pool if they were able to get access to the jail.
The jail doesn’t provide security benefits, but only management ones.
A dataset that will be delegated to the jail needs to be created if one does not already exist.
For the tutorial
tank/zrepl will be used.
zfs create -o mountpoint=none tank/zrepl
The only software requirements on the host system are
iocage, which can be installed
from ports or packages.
pkg install py37-iocage
iocage will “activate” on first use which will set up some defaults such as
which pool will be used. To activate
iocage manually the
iocage activate command can be used.
There are two options for jail creation using FreeBSD.
- Manually set up the jail from scratch
- Create the jail using the
zreplplugin. On FreeNAS this is possible from the user interface using the community index.
Create a jail, using the same release as the host, called
zrepl that will be automatically started at boot.
The jail will have
tank/zrepl delegated into it.
iocage create --release "$(freebsd-version -k | cut -d '-' -f '1,2')" --name zrepl \ boot=on nat=1 \ jail_zfs=on \ jail_zfs_dataset=zrepl \ jail_zfs_mountpoint='none'
Enter the jail:
iocage console zrepl
pkg update && pkg upgrade pkg install zrepl
Create the log file
touch /var/log/zrepl.log && service newsyslog restart
Tell syslogd to redirect facility local0 to the
service syslogd reload
Enable the zrepl daemon to start automatically at boot:
When using the plugin,
zrepl will be installed for you in a jail using the following
Additionally the delegated dataset should be specified upon creation, and optionally start on boot can be set. This can also be done from the FreeNAS webui.
fetch https://raw.githubusercontent.com/ix-plugin-hub/iocage-plugin-index/master/zrepl.json -o /tmp/zrepl.json iocage fetch -P /tmp/zrepl.json --name zrepl jail_zfs_dataset=zrepl boot=on
zrepl can be configured.
Enter the jail.
iocage console zrepl
/usr/local/etc/zrepl/zrepl.yml configuration file.
Note: check out the quick-start guides for examples of a
zrepl can be started.
service zrepl start
Congratulations, you have a working jail!